WIP

2024-08-22 22:56:24 +02:00
3 changed files with 8 additions and 1 deletions
--- a/base.nix
+++ b/base.nix
@ -174,6 +174,7 @@
    extraConfig = "return 444;";
  };
  # TODO: upstream
  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
  systemd.services.logrotate = {
    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
@ -210,6 +211,8 @@
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        # "~@privileged"
        # "~@resources"
      ];
    };
  };
--- a/hosts/bekkalokk/services/phpfpm.nix
+++ b/hosts/bekkalokk/services/phpfpm.nix
@ -31,7 +31,7 @@ in
      PrivateMounts = true;
      ProtectClock = true;
      ProtectControlGroups = true;
-      ProtectHome = true;
+      ProtectHome = true; # Needed to read passwords from /run maybe?
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
@ -45,6 +45,8 @@ in
      KeyringMode = "private";
      SystemCallFilter = [
        "@system-service"
        # "~@privileged"
        # "~@resources"
      ];
    };
  });
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@ -71,6 +71,8 @@ in {
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      # IPAddressDeny = [ "any" ];
      # IPAddressAllow = [  ];
      LockPersonality = true;
      NoNewPrivileges = true;
      # MemoryDenyWriteExecute = true;